.NET Framework 4 Update Error: "Generic Trust Failure" (0x800B010B)

Article ID: 2694321 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you try to install an update of Microsoft .NET Framework 4.0, you might receive a “Generic Trust Failure” (0x800B010B) error and the installation fails finally. In the .NET Framework setup log file under %temp% folder, you find the following error message:

Signature verification for the file <FileName> (<PathToFile>\<FileName>) failed with error <Error>.

You may also find one or more of the following error messages in the setup log file:

Error message 1
<Error> is “0x800B010E” (CERT_E_REVOCATION_FAILURE).

Error message 2
<Error> is “0x800B010A” (CERT_E_CHAINING) or “0x800B0109” (CERT_E_UNTRUSTEDROOT).

Error message 3
<Error> is “0x80096005” (TRUST_E_TIME_STAMP).

Error message 4
<Error> is “0x800B0101” (CERT_E_EXPIRED).



CAUSE

This problem occurs because the signature verification fails.

If you receive error “0x800B010E”, the error occurs because the URL cache on the destination computer does not contain an up to date certificate revocation list (CRL) for the signature that is used to sign the update.

If you receive error “0x800B010A”, the error occurs because the destination computer does not contain the root certificate that is used to sign the update.

If you receive error “0x80096005”, the error occurs because the URL cache on the destination computer does not contain an up to date certificate revocation list (CRL) for the timestamp countersignature that is used to sign the update.

If you receive error “0x800B0101”, the error occurs because a third-party cryptographic service provider (CSP) is installed on the destination computer that does not support timestamps.

RESOLUTION

To resolve this issue, use one of the following methods based on your symptom:

For error "0x800B010E":
If you receive error “0x800B010E”, follow these steps to resolve the issue:

  1. Download and install signtool command-line tool from Windows SDK under following links: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764.aspx
  2. Start the Windows SDK Command Prompt as the same account that is used to install the Microsoft .NET Framework update.
    Run following signtool command on the Windows SDK Command Prompt.  It will verify the signature and help populate the CRL cache to the latest.

    Signtool.exe verify /pa <Path Of the .NET Framework 4.0 Update>
  3. If the revocation server is offline or there is a problem with the CRL, the signtool may report the same error “0x800B010E” (CERT_E_REVOCATION_FAILURE).  To work around this issue, you can run following command on the Windows SDK Command Prompt.  It will enable offline approval for commercial certificates.
    Setreg.exe 5 false
For error “0x800B010A”:
If you receive error “0x800B010A”, use one of the following methods:

Method 1:

Manually update root certificates on your computer. For more information about how to update root certificates manually, click the following article number to view the article in the Microsoft Knowledge Base:  
172553 Windows root certificate program members

Method 2:

  1. Download and install signtool command-line tool from Windows SDK under following links: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764.aspx
  2. Start the Windows SDK Command Prompt as the same account that is used to install the Microsoft .NET Framework update.
    Run following signtool command on the Windows SDK Command Prompt. When signtool validates the certificate chain, it will help retrieve missing root certificates from Windows Update.
    Signtool.exe verify /pa <Path Of the .NET Framework 4.0 Update>
For error "0x80096005":
If you receive error “0x80096005”, follow these steps to resolve the issue:
  1. Download and install signtool command-line tool from Windows SDK under following links: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764.aspx
  2. Start the Windows SDK Command Prompt as the same account that is used to install the Microsoft .NET Framework update.
    Run following signtool command on the Windows SDK Command Prompt. It will verify the signature and help populate the CRL cache to the latest.

    Signtool.exe verify /pa <Path Of the .NET Framework 4.0 Update>
  3. If the computer cannot retrieve the CRL because of a disconnected network or a firewall block, the signtool may report the same error “0x80096005” (TRUST_E_TIME_STAMP).  To work around this issue, you can run following command on the Windows SDK Command Prompt.  It will disable the check to the revocation list on the time stamp signer.
    setreg.exe 9 false
For error “0x800B0101”:

If you receive error “0x800B0101”, you must request a newer version of the CSP from the software vendor.


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2694321 - Last Review: July 11, 2012 - Revision: 1.0
APPLIES TO
  • Microsoft .NET Framework 4
Keywords: 
kbsurveynew kbexpertiseadvanced KB2694321

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com